[WG-OTTO] Notes from SAML work today

Mike Schwartz mike at gluu.org
Mon Jan 15 17:41:33 UTC 2018


OTTO WG,

Keith is doing some great work on the SAML vocabulary. He's checked in a 
draft vocab which I linked at http://www.gluu.co/otto-saml

Today, we were discussing the "SAML Identity Provider Endpoint" section. 
We raised a few issues:

  1. Add idpMetadataURL as a required field. Note: for SP it may not be 
required, which is why I think it's ok for this to go in the IDP Class.

  2. Make all the "Expected Type" fields more explicit

  3. Break "Keys" into "idpSigningKey" and "idpEncryptionKey", with type 
X.509 certificate? String formatted? I think this is needed because even 
though the

  4. Remove Registrar? -- The IDP is operated by a participant, who is 
registeredBy by a federation. Is the reverse mapping needed?

  5. Domain -- Note, the data will be XML here, for example:
   <samlMd:Scope regexp="false">idp.example.edu</samlMd:Scope>

  6. "Identity Provider Binding" and "SAML Attribute Authority Endpoint": 
remove, as this information is in the idpMetadata

  7. Note: what about filtering by the federation? Perhaps idpMetadataURL 
is the source metadata, but the federation can render it's own metadata 
for that IDP, and publish it as 'publicIdpMetadata' which returns the 
filtered SAML XML metadata?

  8. Mike added a new property to the Participant class called 
"privacyStatement" of type URL to link privacy information.

- Mike


More information about the WG-OTTO mailing list